Chapter5 Security

7/29/2019 Chapter5 Security

1/91

Copyright 2002 Pearson Education, Inc. Slide 5-1 Copyright 2002 Pearson Education, Inc. Slide 5-2

CHAPTER 5

Created by, David Zolzer, Northwestern State UniversityLouisiana

Security and Encryption

Copyright 2002 Pearson Education, Inc. Slide 5-3

Learning Objectives

Understand the scope of e -commercecrime and security problems

Describe the key dimensions of e-

commerce security

Understand the tension between securityand other values

Identify the key security threats in the e -commerce environment


Learning Objectives

Describe how various forms of encryptiontechnology help protect the security ofmessages sent over the Internet

Identify the tools used to establish secureInternet communications channels

Identify the tools used to protectnetworks, servers, and clients

Appreciate the importance of policies,procedures, and laws in creating security


The E-commerce SecurityEnvironment

Recent survey of 538 securitypractitioners in U.S. corporations andgovernment agencies reported: 85% detected breaches of computer security

within the last 12 months

64% acknowledged financial loss as a result 35% quantified their financial loss to total $337

million in aggregate


The E-commerce SecurityEnvironment

Most serious losses involved theft ofproprietary information or financial fraud

40% reported attacks from outside the

organization

38% experienced denial of service attacks

94% detected virus attacks


2/92


Internet Fraud Complaints Reportedto the IFCCPage 232, Figure 5.1


The E-commerce SecurityEnvironmentPage 234, Figure 5.2


Dimensions ofE-commerce Security

Integrity refers to the ability to ensure thatinformation being displayed on a Web siteor transmitted or received over the

Internet, has not been altered in any way

by an unauthorized party Nonrepudiation refers to the ability to

ensure that e -commerce participants donot deny (I.e., repudiate) their onlineactions



Authenticity refers to the ability to identifythe identity of a person or entity withwhom you are dealing on the Internet

Confidentiality refers to the ability to

ensure that messages and data areavailable only to those who are authorized

to view them



Privacy refers to the ability to ensure theuse of information about oneself

Availability refers to the ability to ensure

that an e-commerce site continues tofunction as intended



Page 235, Table 5.1


3/93


The Tension Between Security andOther Values

Ease of use The more security measures that are added to

an e-commerce site, the more difficult it is touse and the slower the site becomes,hampering ease of use. Security is purchasedat the price of slowing down processors andadding significantly to data storage demands.Too much security can harm profitability, whilenot enough can potentially put a business outof business.


The Tension Between Security andOther Values

Public Safety and the Criminal Uses ofSecurity

There is tension between the claims ofindividuals to act anonymously and the needsof the public officials to maintain public safetythat can be threatened by criminals orterrorists .


Security Threats in theE-commerce Environment

Three key points of vulnerability

the client

the server

communications pipeline


A Typical E-commerceTransactionPage 238, Figure 5.3


Vulnerable Points in anE-commerce EnvironmentPage 239, Figure 5.4


Seven Security Threats to E-commerce Sites

Malicious code

includes a variety of threats such as viruses,worms, Trojan horses, and bad applets

virus is a computer program that has theability to replicate or make copies of itself, andspread to other files

worm is designed to spread from computer tocomputer

Trojan horse appears to be benign, but thendoes something other than expected


4/94


Examples of MaliciousCodePage 241

Table 5.2



Hacking and cybervandalism hacker is an individual who intends to gain

unauthorized access to a computer system

cracker is the term typically used within thehacking community to demote a hacker withcriminal intent

cybervandalism is intentionally disrupting,defacing, or even destroying a site



Hacking and cybervandalism white hats are good hackers that help

organizations locate and fix security flaws

black hats are hackers who act with theintention of causing harm

grey hats are hackers who believe they arepursuing some greater good by breaking inand revealing system flaws



Credit card fraud

Different from traditional commerce

Hackers target files on merchant server

Spoofing

Misrepresenting oneself by using fake emailaddresses or masquerading as someone else



Denial of Service Attacks

Flooding a Web site with useless traffic toinundate and overwhelm the network

Distributed Denial of Service attack usesnumerous computers to attack the targetnetwork from numerous launch points



Sniffing

A type of eavesdropping program thatmonitors information traveling over a network

Insider Jobs

Employees with access to sensitiveinformation

Sloppy internal security procedures

Able to roam throughout an organization ssystem without leaving a trace


5/95


Tools Available to Achieve SiteSecurityPage 247, Figure 5.5


Encryption

The process of transforming plain text ordata into cipher text that cannot be readby anyone outside of the sender and the

receiver. The purpose of encryption is (a)to secure stored information and (b) to

secure information transmission.

Cipher text is text that has been encryptedand thus cannot be read by anyonebesides the sender and the receiver


Encryption

Key or cipher is any method fortransforming plain text to cipher text

Substitution cipher is where every

occurrence of a given letter is

systematically replaced by another letter Transposition cipher changes the ordering

of the letters in each word in some

systematic way


Encryption

Symmetric key encryption (secret keyencryption) the sender and the receiveruse the same key to encrypt and decrypt

the message

Data Encryption Standard (DES) is themost widely used symmetric key

encryption, developed by the NationalSecurity Agency (NSA) and IBM. Uses a56-bit encryption key


Encryption

Public key cryptography uses two mathematicallyrelated digital keys are used: a public key and aprivate key.

The private key is kept secret by the owner, andthe public key is widely disseminated.

Both keys can be used to encrypt and decrypt amessage.

However, once the keys are used to encrypt amessage, the same key cannot be used tounencrypt the message


Public Key Cryptography -A Simple CasePage 251, Figure 5.6


6/96


Public Key Cryptography withDigital SignaturesPage 252, Figure 5.7


Encryption

Digital signature is a signed cipher textthat can be sent over the Internet

Hash function uses an algorithm that

produces a fixed-length number called ahash or message digest

Digital envelop is a technique that usessymmetric encryption for large

documents, but public key encryption toencrypt and send the symmetric key


Public Key Cryptography: Creatinga Digital EnvelopePage 254, Figure 5.8


Digital Certificates and Public KeyInfrastructurePage 255, Figure 5.9


Encryption

Digital certificate is a digital documentissued by a certification authority thatcontains the name of the subject orcompany, the subject s public key, adigital certificate serial number, anexpiration date, the digital signature of thecertification authority, and otheridentifying information

Certification Authority (CS) is a trustedthird party that issues digital certificates


Encryption

Public Key Infrastructure (PKI) arecertification authorities and digitalcertificate procedures that are accepted

by all parties

Pretty Good Privacy (PGP) is a widelyused email public key encryption software

program


7/97


Securing Channels ofCommunications

Secure Sockets Layer (SSL) is the mostcommon form of securing channels

Secure negotiated session is a client-server session in which the URL of therequested document, along with thecontents, the contents of forms, and thecookies exchanged, are encrypted.

Session key is a unique symmetricencryption key chosen for a single securesession


Secure Negotiated Sessions UsingSSLPage 259, Figure 5.10


Securing Channels ofCommunications

Secure Hypertext Transfer Protocol (S-HTTP) is asecure message -oriented communicationsprotocol designed for use in conjunction withHTTP. Cannot be used to secure non-HTTPmessages

Virtual Private Networks (VPN) allow remoteusers to securely access internal networks viathe Internet, using Point-to-Point TunnelingProtocol (PPTP)

PPTP is an encoding mechanism that allows onelocal network to connect to another using theInternet as a conduit


Protecting Networks

Firewalls are software applications thatact as a filter between a company s privatenetwork and the Internet itself

Proxy server is a software server that

handles all communications originatingfrom or being sent to the Internet, acting

as a spokesperson or bodyguard for theorganization


Firewalls and Proxy ServersPage 262, Figure 5.11


Protecting Servers and Clients

Operating system controls allow for theauthentication of the user and accesscontrols to files, directories, and network

paths

Anti-virus software is the easiest and leastexpensive way to prevent threats to

system integrity


8/98


Policies, Procedures, and Laws

Developing an e-commerce security plan

perform a risk assessment

develop a security policy

develop an implementation plan

create a security organization

perform a security audit


Developing anE-commerce Security PlanPage 264, Figure 5.12


A Security Plan: ManagementPolicies

Risk assessment is the assessment ofrisks and points of vulnerability

Security policy is a set of statementsprioritizing the information risks,identifying acceptable risk targets, andidentifying the mechanisms for achievingthese targets

Implementation plan is the action stepsyou will take to achieve the security plangoals



Security organization educations andtrains users, keeps management aware ofsecurity threats and breakdowns, andmaintains the tools chosen to implementsecurity

Access controls determine who can gainlegitimate access to a network

Authentication procedures include the useof digital signatures, certificates ofauthority, and public key infrastructure



Biometrics is the study of measurablebiological or physical characteristics thatcan be used for access controls

Authorization policies determine differinglevels of access to information assets fordiffering levels of users

Authorization management systemestablishes where and when a user ispermitted to access certain parts of a Website



Security audit involves the routine reviewof access logs identifying how outsidersare using the site as well as how insidersare accessing the site s assets

Tiger team is a group whose sole jobactivity is attempting to break into a site

CERT Coordination Center monitors andtracks criminal activity reported to it byprivate corporations and governmentagencies that seek out its help


9/9


Role of of Laws andPublic Policy

National Infrastructure Protection Centeris a unit within the FBI whose sole missionis to identify and combat threats against

the United States technology andtelecommunications infrastructure

DCS100 (Carnivore) an email sniffing

software program developed by the FBIthat can copy and filter all data sent from auser s computer to a local ISP


E-commerce Security LegislationPage 268, Table 5.3


Government Efforts to Regulateand Control EncryptionPage 269, Table 5.4

Chapter5 Security

Documents